If you add computers or users to a security group in Active Directory, there will be no immediate effect. The associated permissions only take effect after a user has logged on again or the computer has been rebooted. This can be avoided by renewing the Kerberos tickets.

If you make a server a member of an AD group, for example, to include it in the security filtering of a GPO or to grant it permissions to request a certificate, it simply may not be possible to restart it immediately afterwards. However, a reboot is usually necessary to update computer membership in AD groups.

Purging Kerberos tickets ^

You can bypass the reboot by renewing the Kerberos ticket for the computer with klist.exe. If you run

klist.exe sessions | findstr /i %COMPUTERNAME%

on a command prompt, you will see that the so-called low part of the local computer's LogonID always has the value 0x3e7, while 0x3e4 belongs to the network service. The corresponding cached Kerberos tickets can be displayed with

klist.exe -li 0x3e7
The low part of the local computers LogonID always has the value 0x3e7

The low part of the local computers LogonID always has the value 0x3e7

After adding the computer account to a new security group in AD, you can remove them using the purge parameter:

klist.exe -li 0x3e7 purge
Invoking klist.exe li 0x3e7 purge deletes the tickets for the computer account

Invoking klist.exe li 0x3e7 purge deletes the tickets for the computer account

Subsequently, by executing

gpupdate /force

you will get new tickets. If you run

klist.exe -li 0x3e7

again and compare the output with the earlier use of this command, you will see that the timestamps of the Kerberos tickets have changed.

Using

gpresult /r /scope computer

you can display the groups in which the local computer is a member. However, this command usually does not reflect changes after the ticket was renewed, regardless of whether the account was added to or removed from a group.

However, if you use an AD group for GPO security filtering, then the change has an immediate effect here and is also visible in the output of gpresult. The same applies to the permissions on other resources.

Server2022Preview has been added to the HR group which is not eligible for the WinRM GPO. gpresult does not show the HR group but the effect on filtering.

Server2022Preview has been added to the HR group which is not eligible for the WinRM GPO. gpresult does not show the HR group but the effect on filtering.

Updating memberships for users ^

While servers often cannot be restarted just to update membership in AD groups, it is usually not a major problem for users to log off and on again to gain access to certain resources by changing group memberships.

However, if you want to avoid a logoff, klist.exe can help here as well. In this case, after the user account has been added to a new group, execute

klist purge

on a command line without elevated privileges. The program prints the LogonID of the current user and confirms that the Kerberos tickets for this user have been deleted. To get new ones, you can start another instance of cmd.exe using runas.

After the klist purge a new instance of cmd.exe shows the membership of the user in the group HR

After the klist purge a new instance of cmd.exe shows the membership of the user in the group HR

If you run

whoami /groups

there, then the change in the group memberships should already be noticeable. Accordingly, the user should also be able to access a network share, for example via the FQDN of the server, which he was denied before he was added to the new AD group.

Subscribe to 4sysops newsletter!

It is obvious that the described solution works only for services that support Kerberos. With NTLM authentication, there is no way around rebooting or logging out.

+3
avataravatar
1 Comment
  1. King Dingaling 5 months ago

    In your screenshot it shows the gpo being denied for the computer object, not a group. Therefore a simple gpupdate would pick up that change anyway. 

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account